Fortinet black logo

Handbook

Home FortiGSLB Handbook

How to load balance FortiGate VPN servers to FortiGSLB

How to load balance FortiGate VPN servers to FortiGSLB

For remote clients who want to connect to the company HQ via VPN, FortiGSLB allows clients to automatically connect to the FortiGate VPN server that is geographically closest to their current location. This can also be specified according to FortiGate VPN server availability. In cases when the VPN server is down, FortiGSLB can redirect users to the next available FortiGate VPN server in another location.

Perform the following steps to load balance FortiGate VPN servers to FortiGSLB.

  1. Create a new VPN in FortiGate (VPN) or use the existing VPN.
  2. Create an FQDN in GSLB Services.
  3. Create a new Virtual Server Pool and choose 'GEO' as the preferred method.
  4. Create a pool member, a FortiGate connector, and a new connector member (add FortiGate VPN server IP).
  5. Create a second FortiGate connector VPN server IP in the same Pool as in step 4.

Note: The virtual servers from the FortiGate connector will be added into Pool and Connector directly and will work in GSLB Services.

Example solution

This example illustrates the solution for when all the client’s incoming traffic comes from one location.

This example assumes the following:

• You have FortiGate VPN servers in two locations.

• Every FortiGate VPN server supports a VPN service that can connect to the company HQ.

The FortiGSLB has one pool with these two FortiGate VPN servers and it can load balance the incoming traffic geographically and monitor all VPN servers’ status at any time.

If the traffic comes from one location, the FortiGSLB can load balance the traffic to the nearest available server and redirect it to another VPN server once that VPN server becomes unavailable. Clients from all places can enjoy the best performance of VPN server and fast connection to company HQ even while traveling.

Perform the following steps:

  1. Create a new VPN in FortiGate (VPN) or use the existing VPN.
  2. Create FQDN VPN-hq.fgt.com in GSLB Services
  3. Create an FQDN member and then create a new virtual server 'Pool 1'. Select 'GEO' as the preferred method.
  4. Create a pool member and create a new FortiGate Connector 'fgt-VPN1'.Create a new Data Center 'DC1' and create a new connector member 'VPN1-DC1'. Add FortiGate 'VPN IP VPN1-DC1' Public IP and enable health check 'Default_HLTHCK_ICMP' or other types.
  5. Create a second pool member and create a new FortiGate connector 'fgt-VPN2'. Create a new Data Center 'DC2' and create a new connector member 'VPN1-DC1'. Add FortiGate 'VPN IP VPN2-DC2' Public IP and enable health check 'Default_HLTHCK_ICMP' or other types.

Note: The virtual server from the FortiGate Connector will be added into Pool and Connector directly and will work in GSLB services.

Sample topology view at FortiGSLB

We have added each FortiGate VPN server into the FortiGSLB pool. GSLB will load balance client traffic geographically using connector locations.

After completing these steps, the customer can monitor the VPN service status from both Location DC1 and Location DC2 on the GSLB Service detail page. The FortiGSLB will load balance the traffic to the connector that have the nearest location. If the nearest location VPN server is down, the FortiGSLB will direct the traffic to other available location. If both VPN service servers are not available, the FortiGSLB will direct traffic to the default VPN server.

Previous
Next

How to load balance FortiGate VPN servers to FortiGSLB

For remote clients who want to connect to the company HQ via VPN, FortiGSLB allows clients to automatically connect to the FortiGate VPN server that is geographically closest to their current location. This can also be specified according to FortiGate VPN server availability. In cases when the VPN server is down, FortiGSLB can redirect users to the next available FortiGate VPN server in another location.

Perform the following steps to load balance FortiGate VPN servers to FortiGSLB.

  1. Create a new VPN in FortiGate (VPN) or use the existing VPN.
  2. Create an FQDN in GSLB Services.
  3. Create a new Virtual Server Pool and choose 'GEO' as the preferred method.
  4. Create a pool member, a FortiGate connector, and a new connector member (add FortiGate VPN server IP).
  5. Create a second FortiGate connector VPN server IP in the same Pool as in step 4.

Note: The virtual servers from the FortiGate connector will be added into Pool and Connector directly and will work in GSLB Services.

Example solution

This example illustrates the solution for when all the client’s incoming traffic comes from one location.

This example assumes the following:

• You have FortiGate VPN servers in two locations.

• Every FortiGate VPN server supports a VPN service that can connect to the company HQ.

The FortiGSLB has one pool with these two FortiGate VPN servers and it can load balance the incoming traffic geographically and monitor all VPN servers’ status at any time.

If the traffic comes from one location, the FortiGSLB can load balance the traffic to the nearest available server and redirect it to another VPN server once that VPN server becomes unavailable. Clients from all places can enjoy the best performance of VPN server and fast connection to company HQ even while traveling.

Perform the following steps:

  1. Create a new VPN in FortiGate (VPN) or use the existing VPN.
  2. Create FQDN VPN-hq.fgt.com in GSLB Services
  3. Create an FQDN member and then create a new virtual server 'Pool 1'. Select 'GEO' as the preferred method.
  4. Create a pool member and create a new FortiGate Connector 'fgt-VPN1'.Create a new Data Center 'DC1' and create a new connector member 'VPN1-DC1'. Add FortiGate 'VPN IP VPN1-DC1' Public IP and enable health check 'Default_HLTHCK_ICMP' or other types.
  5. Create a second pool member and create a new FortiGate connector 'fgt-VPN2'. Create a new Data Center 'DC2' and create a new connector member 'VPN1-DC1'. Add FortiGate 'VPN IP VPN2-DC2' Public IP and enable health check 'Default_HLTHCK_ICMP' or other types.

Note: The virtual server from the FortiGate Connector will be added into Pool and Connector directly and will work in GSLB services.

Sample topology view at FortiGSLB

We have added each FortiGate VPN server into the FortiGSLB pool. GSLB will load balance client traffic geographically using connector locations.

After completing these steps, the customer can monitor the VPN service status from both Location DC1 and Location DC2 on the GSLB Service detail page. The FortiGSLB will load balance the traffic to the connector that have the nearest location. If the nearest location VPN server is down, the FortiGSLB will direct the traffic to other available location. If both VPN service servers are not available, the FortiGSLB will direct traffic to the default VPN server.

Previous
Next